https://chng.it/jJvMChbdsJ
вс, 26 дек. 2021 г., 02:13 linux_forum1 <
linux_forum1@protonmail.com>:
Hello, I'm trying to make the most specific, secure and restrictive
iptables possible for a simple VPN connection on Debian. Could you have a quick look if those are OK? Thanks so much!
VPN Server Port:1194
VPN Server IP: 189.174.135.110
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#no fragmented packets
-A INPUT -f -j DROP
#localhost
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# first packet has to be TCP syn
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#drop sop icmp
-A INPUT -p icmp --icmp-type address-mask-request -j DROP
-A INPUT -p icmp --icmp-type timestamp-request -j DROP
#Ping from inside to outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#drop broadcast, multicast anycast
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
#drop invalid
-A INPUT -m state --state INVALID -j DROP
#drop spoofed packets
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255 -j DROP
# DROP RFC1918 PACKETS
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
#Allow VPN
- A INPUT -i eth0 -p udp -m udp -s 189.174.135.110 -d 192.168.1.0/24 --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp -s 192.168.1.0/24 -d 189.174.135.110 --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
<div dir="auto"><a href="
https://chng.it/jJvMChbdsJ">https://chng.it/jJvMChbdsJ</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вс, 26 дек. 2021 г., 02:13 linux_forum1 <<a href="mailto:
linux_forum1@protonmail.com">linux_
forum1@protonmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hello, I'm trying to make the most specific, secure and restrictive iptables possible for a simple VPN
connection on Debian. Could you have a quick look if those are OK? Thanks so much!<br></div><div><br></div><div>VPN Server Port:1194<br></div><p style="box-sizing:border-box;word-break:break-word;margin:0px 0px 10px;color:rgb(26,26,27);font-family:-apple-
system,system-ui,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;
text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">VPN Server IP: 189.174.135.110<br></p><div><br></div><div>-P INPUT DROP<br></div><div>-
P FORWARD DROP<br></div><div>-P OUTPUT DROP<br></div><div><br></div><div>#no fragmented packets<br></div><div>-A INPUT -f -j DROP<br></div><div>#localhost<br></div><div>-A INPUT -s <a href="
http://127.0.0.0/8" target="_blank" rel="noreferrer">127.0.0.0/8<
! -i lo -j DROP<br></div><div>-A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br></div><div>-A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT<br></div><div># first packet has to be TCP syn<br></div><div>-A INPUT -p tcp ! --syn -m state --state
NEW -j DROP<br></div><div>#drop sop icmp<br></div><div>-A INPUT -p icmp --icmp-type address-mask-request -j DROP<br></div><div>-A INPUT -p icmp --icmp-type timestamp-request -j DROP<br></div><div>#Ping from inside to outside<br></div><div> -A OUTPUT -p
icmp --icmp-type echo-request -j ACCEPT<br></div><div> -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br></div><div>#drop broadcast, multicast anycast<br></div><div>-A INPUT -m addrtype --dst-type BROADCAST -j DROP<br></div><div>-A INPUT -m addrtype -
-dst-type MULTICAST -j DROP<br></div><div>-A INPUT -m addrtype --dst-type ANYCAST -j DROP<br></div><div>-A INPUT -d <a href="
http://224.0.0.0/4" target="_blank" rel="noreferrer">224.0.0.0/4</a> -j DROP<br></div><div>#drop invalid<br></div><div>-A INPUT -
m state --state INVALID -j DROP<br></div><div>#drop spoofed packets<br></div><div>-A INPUT -s <a href="
http://0.0.0.0/8" target="_blank" rel="noreferrer">0.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -d <a href="
http://0.0.0.0/8" target="_blank" rel="
noreferrer">0.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -d <a href="
http://239.255.255.0/24" target="_blank" rel="noreferrer">239.255.255.0/24</a> -j DROP<br></div><div>-A INPUT -d 255.255.255.255 -j DROP<br></div><div># DROP RFC1918 PACKETS<br></div><
-A INPUT -s <a href="http://10.0.0.0/8" target="_blank" rel="noreferrer">10.0.0.0/8</a> -j DROP<br></div><div>-A INPUT -s <a href="http://172.16.0.0/12" target="_blank" rel="noreferrer">172.16.0.0/12</a> -j DROP<br></div><div>-A INPUT -s <a href="
http://192.168.0.0/16" target="_blank" rel="noreferrer">192.168.0.0/16</a> -j DROP<br></div><div>#Allow VPN<br></div><p dir="ltr">- A INPUT -i eth0 -p udp -m udp -s <a rel="noopener noreferrer noreferrer" href="
https://189.174.135.110/" target="_blank">
189.174.135.110</a> -d <a rel="noopener noreferrer noreferrer" href="
https://192.168.1.0/24" target="_blank">192.168.1.0/24</a> --sport 1194 --dport 32768:65535 -m conntrack --ctstate ESTABLISHED -j ACCEPT <br></p><div dir="ltr">-A OUTPUT -o eth0 -
p udp -m udp -s <a rel="noopener noreferrer noreferrer" href="
https://192.168.1.0/24" target="_blank">192.168.1.0/24</a> -d <a rel="noopener noreferrer noreferrer" href="
https://189.174.135.110/" target="_blank">189.174.135.110</a> --dport 1194 -m
conntrack --ctstate NEW,ESTABLISHED -j ACCEPT <br></div><p style="box-sizing:border-box;word-break:break-word;margin:0px 0px 10px;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:
normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></p><div><br></div><div><br></div><div><div></div><div></div></div><div><br></div></
blockquote></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)